cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15462
Views
0
Helpful
5
Replies

ASA sending RST-ACK to the server..!!

CSCO12318778
Level 1
Level 1

Hello everyone,

I have recently started learning about ASAs and I had an issue while deploying an ASA. Previously we had a router which was acting as firewall and I was assigned the task to replace it with  ASA 5512. I have configured the access rules and everything. But when I bring up the ASA we were unable to reach the mail server from outside. when I do wireshark on the mail server it say that

6    0.250255000    X.X.X.2    Y.Y.Y.15    TCP    74    40092 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=344785118 TSecr=0 WS=64

7    0.250319000    Y.Y.Y.15    X.X.X.2    TCP    74    http > 40092 [SYN, ACK] Seq=0 Ack=1 Win=8192 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=181293696 TSecr=344785118

8    0.252076000    X.X.X.2    Y.Y.Y.15    TCP    60    40092 > http [RST, ACK] Seq=1 Ack=1 Win=524288 Len=0

where X.X.X.2 is the external Ip from which I was trying to open mail server on port 80 and Y.Y.Y.15 is my mail server.

and On the ASA it says

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags PSH ACK  on interface External_Interface

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags PSH ACK  on interface External_Interface

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags FIN ACK  on interface External_Interface

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags FIN ACK  on interface External_Interface

in here Y.Y.Y.85 is external Ip address for my mailserver

I have tried tcp state bypass but didn't work. Can anyone Please help me with this....!! 

Thanks in advance...

Raj

2 Accepted Solutions

Accepted Solutions

Have you run a packet-trace for the source and destination to see if it is showing any rules or NATs that would drop the traffic? 

Run something like this

packet-trace input outside tcp 10.10.10.2 1032 192.168.2.15 25

(using your IPs in the last comment)

and see if that shows any reason for it to be dropped or denied. 

View solution in original post

Hi,

Well any routing related problem could be checked with simply following the routing tables on the L3 devices in the network and checking the network settings on the related host devices.

To be honest it would be way simpler to check the ASA configurations for any problems and also issue "packet-tracer" commands to simulate an incoming connection from external network to the server.

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Log messages seem to point to a situation where the ASA is blocking a packet for a connection that doesnt exist on the ASA yet or has beeb removed from it before.

I think the ASA usually sends TCP Reset to the host when the ASA is configured to Reset a connection that is not allowed according to its ACLs.

I guess this might also be due to Asymmetric Routing. For example if the TCP SYN arrived to the server from some OTHER device than the ASA and the server then send traffic through its default gateway which would be ASA then ASA would drop the SYN, ACK since it never saw the original SYN

- Jouni

Hello Jouni,

Thank you for the reply. I don't think I have any asymmetric route. Can you please let me know how to look for an asymmetric route and more over when I captured asp-drop packets I found this

6: 14:40:39.724068 192.168.2.15.80 > 10.10.10.2.41828: S 1930943544:1930943544(0) ack 1214614617 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

7: 14:40:39.974269 192.168.2.15.80 > 10.10.10.2.41829: S 2640695216:2640695216(0) ack 2109706537 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

8: 14:40:45.724556 192.168.2.15.80 > 10.10.10.2.41828: S 1932490255:1932490255(0) ack 1214614617 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

9: 14:40:45.974375 192.168.2.15.80 > 10.10.10.2.41829: S 2642506900:2642506900(0) ack 2109706537 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

(Here 192.168.2.15 is my mailserver  and 10.10.10.2 is my external ip  I am testing it in the lab)

but I didn't mention any rule which blocks the packets.

--

Raj

Have you run a packet-trace for the source and destination to see if it is showing any rules or NATs that would drop the traffic? 

Run something like this

packet-trace input outside tcp 10.10.10.2 1032 192.168.2.15 25

(using your IPs in the last comment)

and see if that shows any reason for it to be dropped or denied. 

Hi,

Well any routing related problem could be checked with simply following the routing tables on the L3 devices in the network and checking the network settings on the related host devices.

To be honest it would be way simpler to check the ASA configurations for any problems and also issue "packet-tracer" commands to simulate an incoming connection from external network to the server.

- Jouni

CSCO12318778
Level 1
Level 1

thank you Jouni,

the issue was resolved. it was a nat rule which was not allowing the traffic.

--

Raj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: